Monday, 6 February 2017

Flicking the switch for your security culture program

Safer Internet Day

About a week ago, I was having a chat
to Jacqui Loustau at a Last Tuesday of the Month (LTOTM) event about a blog article for the AWSN to
promote ‘Safer Internet Day’. After some discussion and a few glasses of
red, we landed on a topic that will resonate with many information security
folks - how to actually plant the seed for security culture change.

Many security professionals are
fortunate to work within great companies or with great consulting clients, so
we spend a lot of time talking about the benefits of security culture, what is
best practice and what our peers in the industry are achieving. In our
excitement and zest for improving security culture maturity, we could be
forgiven for not taking a step back and thinking about those individuals and
organisations who are just starting their journey, or may not be aware there is
a journey!

Being in the business of security
culture means I’m regularly assessing just where our clients are on their
security culture journey. Regardless of industry sector, size or turnover,
Australian companies are at various stages of maturity. Some are just starting
to sow the seeds and get management buy in, some have internal support but need
a ‘kickstarter’ to help them plan and implement activities, and others have
more mature programs that they want to continually improve. Rarely is it a
question of budget or resources, but barriers such as lack of management
support, time constraints or ‘where do I start?’ are the common themes.

The purpose of this article is to help
provide some tips for our peers who need a helping hand. You know security
culture is important, but you might be having some difficulty obtaining the
necessary support to move forward. So, without further ado, here are some prime
pointers for helping you get the show on the road.

The burning platform

Like any behavioural change initiative,
you need to identify the burning platform. By that I mean, asking yourself, “the
consequences of not changing are… what?” Now, many of us know what that is
because we live and breathe security every day, but you need to be able to
convince your sponsor, manager or whoever the decision maker is (note: he or
she who is in control of the purse strings) why you need to imbed security
culture within an organisation. It’s up to you to ensure security culture
has a seat at the table. More often than not, poor security behaviours
are already occurring, they just aren’t being articulated in a manner that will
inspire action. Knowing the pain points and being able to articulate them will
also help you define your metrics and ultimately measure the impact of the
program.

Get buy in with data
The proof is in the pudding. Some of our clients run phishing exercises
and/or our targeted Hackability Assessments™ , such as testing physical
security controls like access and tailgating. They then table these findings.
Knowing that Joe Blogs pretending to be an IT contractor made their way
into the building, popped their sandwich in the toaster in the common
room, had a chat to the staff, and then proceeded to collect confidential
information, plug access points into the network, and spend the afternoon
wandering around the building, seems to raise alarm bells which in turn
can translate to support from the highest level of an organisation.

Partner up
Ensure you are partnering with people who have influence in the organisation
and who can help you find ways to effectively build a plan and communicate
the messages. In their book “Blue Ocean Strategy,” W. Chan Kim and
Renee Mauborgne suggest starting with people who have disproportionate
influence in the organisation. Once they are committed to the cause,
they can help shine a spotlight on your program so others get the message
too. Influencers can also provide much needed insight into what will
work and what won’t depending on an employee’s role, the channels they can
access and the success of other behavioural change initiatives. The
stakeholders that will have an understanding of an organisation's
mechanics which include Internal Communications, HR, and Executive
Assistants (the latter who are also influential amongst the C-Suite).

Don’t reinvent the wheel
Look for ways to align and leverage existing forums, champions or
activities. This can help ensure the message sticks. Opportunities include
the quarterly staff roadshow or Town Hall, Lunch and Learn series, Risk or
Change Champions network or other activities where there is already a
captive audience. Then find ways to incorporate your message. People
will thank you for being respectful of their time and existing commitments
if you leverage activities and events that are underway. These forums are
also a great way to connect to more arms and legs in the organisation,
especially if you have limited resources for your program.

Show me the money
Find out how much money is being spent on technology vs security culture
and change. I’m often surprised to learn when companies are spending
millions of dollars on technology but seem reluctant to support a security
culture program. ZDNet released this list of the biggest
hacks and security breaches from 2016 and upon closer inspection they are
all caused by the human factor, whether it was user error, poor coding, or
poor security behaviours. Industry relevant case studies and media
coverage can help communicate where things can/have gone wrong and help
your business case for funding.

Celebrate your wins
Share stories about individuals or teams that demonstrate positive
security culture behaviour and reward them. If someone has reported an
incident or highlighted a risk, give them a virtual high five on Yammer or
leave them a personalised desk note from the Cyber Security team thanking
them for their efforts.

Flicking the switch
Thinking securely isn’t about recalling a set of security related facts.
It is about viewing the world in a particular way and flicking the
security mindset ‘switch’. Ask staff what they want to see in a security
culture program. We find focusing on the personal impacts of security such
as social media, cyber bullying, online fraud, is a good way to grab
attention. You can then tailor the message and link to what security
culture behaviours you want to see imbedded in the workplace. Try and make
it fun, whether that is by sharing quirky YouTube videos about security
incidents or creating a cyber security mascot with some catchy slogans.
Stories are also a great way to engage people in a topic they may
not necessarily feel interested in. And please, no pictures of
padlocks, fish or masked hackers. JFor
more advice, read the simple tips from businesses
with security culture programs here

Finally, remember that building a
security culture won’t happen overnight. You will need patience and persistence
to drive behavioural change. Sowing the seeds for a secure culture is about
engaging with the right people, getting their support, and committing to a
plan. The SIT community joined forces yesterday to #AskOutLoud around Australia
for Safer Internet Day and to help put security culture on the radar. It’s now
up to all of us to keep this momentum going.

Ayebare Kagina (Manzi) How about helping a not for profit with their initiatives or joining a student mentoring group? Some countries also run competitions where citizens can contribute ideas for Government security awareness campaigns. Finally, you could consider becoming a freelance consultant and on freelancer.com